fix: address shellcheck findings

2025-05-20 23:46:59 +02:00 · 2025-05-20 23:46:59 +02:00 · 77aa1ef1b8
parent d6fc45cdfe
commit 77aa1ef1b8
4 changed files with 60 additions and 51 deletions
--- a/build-image.sh
+++ b/build-image.sh
@ -9,8 +9,9 @@ function curl() {
  command curl -sSfL --connect-timeout 10 --max-time 30 --retry 3 --retry-all-errors "$@"
 }

-shared_lib="$(dirname $0)/.shared"
-[ -e "$shared_lib" ] || curl https://raw.githubusercontent.com/vegardit/docker-shared/v1/download.sh?_=$(date +%s) | bash -s v1 "$shared_lib" || exit 1
+shared_lib="$(dirname "${BASH_SOURCE[0]}")/.shared"
+[[ -e $shared_lib ]] || curl "https://raw.githubusercontent.com/vegardit/docker-shared/v1/download.sh?_=$(date +%s)" | bash -s v1 "$shared_lib" || exit 1
+# shellcheck disable=SC1091  # Not following: $shared_lib/lib/build-image-init.sh was not specified as input
 source "$shared_lib/lib/build-image-init.sh"


@ -69,42 +70,43 @@ echo "

 docker buildx version # ensures buildx is enabled
 docker buildx create --config /etc/buildkitd.toml --use # prevents: error: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
+# shellcheck disable=SC2154,SC2046  # base_layer_cache_key is referenced but not assigned / Quote this to prevent word splitting
 docker buildx build "$project_root" \
  --file "image/Dockerfile" \
  --progress=plain \
  --pull \
-  --build-arg INSTALL_SUPPORT_TOOLS=${INSTALL_SUPPORT_TOOLS:-0} \
+  --build-arg INSTALL_SUPPORT_TOOLS="${INSTALL_SUPPORT_TOOLS:-0}" \
  `# using the current date as value for BASE_LAYER_CACHE_KEY, i.e. the base layer cache (that holds system packages with security updates) will be invalidate once per day` \
-  --build-arg BASE_LAYER_CACHE_KEY=$base_layer_cache_key \
-  --build-arg BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
+  --build-arg BASE_LAYER_CACHE_KEY="$base_layer_cache_key" \
+  --build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
  --build-arg GIT_BRANCH="${GIT_BRANCH:-$(git rev-parse --abbrev-ref HEAD)}" \
-  --build-arg GIT_COMMIT_DATE="$(date -d @$(git log -1 --format='%at') --utc +'%Y-%m-%d %H:%M:%S UTC')" \
+  --build-arg GIT_COMMIT_DATE="$(date -d "@$(git log -1 --format='%at')" --utc +'%Y-%m-%d %H:%M:%S UTC')" \
  --build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" \
  --build-arg GIT_REPO_URL="$(git config --get remote.origin.url)" \
  --build-arg GITEA_ACT_RUNNER_VERSION="$gitea_act_runner_effective_version" \
-  --build-arg FLAVOR=$DOCKER_IMAGE_FLAVOR \
+  --build-arg FLAVOR="$DOCKER_IMAGE_FLAVOR" \
  $(if [[ "${ACT:-}" == "true" || "${DOCKER_PUSH:-}" != "true" ]]; then \
    echo -n "--load --output type=docker"; \
  else \
    echo -n "--platform linux/amd64,linux/arm64,linux/arm/v7"; \
  fi) \
-  -t $image_name \
-  -t $image_name2 \
+  -t "$image_name" \
+  -t "$image_name2" \
  $(if [[ "${DOCKER_PUSH:-}" == "true" ]]; then echo -n "--push"; fi) \
  "$@"
 docker buildx stop
 set +x

 if [[ "${DOCKER_PUSH:-}" == "true" ]]; then
-  docker image pull $image_name
+  docker image pull "$image_name"
 fi

 #################################################
 # push image to ghcr.io
 #################################################
 if [[ "${DOCKER_PUSH_GHCR:-}" == "true" ]]; then
-  (set -x; regctl image copy $image_name ghcr.io/$image_name)
-  (set -x; regctl image copy $image_name2 ghcr.io/$image_name2)
+  (set -x; regctl image copy "$image_name" "ghcr.io/$image_name")
+  (set -x; regctl image copy "$image_name2" "ghcr.io/$image_name2")
 fi


@ -113,7 +115,7 @@ fi
 #################################################
 echo
 log INFO "Testing docker image [$image_name]..."
-(set -x; docker run --rm $image_name act_runner --version)
+(set -x; docker run --rm "$image_name" act_runner --version)
 echo


@ -122,5 +124,5 @@ echo
 #################################################
 # TODO see https://gitea.com/gitea/act_runner/issues/513
 if [[ "${DOCKER_AUDIT_IMAGE:-1}" == 1 && "$GITEA_ACT_RUNNER_VERSION" == "nightly" ]]; then
-  bash "$shared_lib/cmd/audit-image.sh" $image_name
+  bash "$shared_lib/cmd/audit-image.sh" "$image_name"
 fi
--- a/image/fix_permissions.sh
+++ b/image/fix_permissions.sh
@ -4,7 +4,8 @@
 # SPDX-FileContributor: Sebastian Thomschke
 # SPDX-License-Identifier: Apache-2.0
 # SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner
-#
+
+# shellcheck disable=SC1091  # Not following: /opt/bash-init.sh was not specified as input
 source /opt/bash-init.sh

 act_user=act
@ -12,32 +13,32 @@ act_user=act
 #################################################################
 # Adjust UID/GID and file permissions based on env var config
 #################################################################
-if [ -n "${GITEA_RUNNER_UID:-}" ]; then
-  effective_uid=$(id -u $act_user)
+if [[ -n ${GITEA_RUNNER_UID:-} ]]; then
+  effective_uid=$(id -u "$act_user")
  if [ "$GITEA_RUNNER_UID" != "$effective_uid" ]; then
    log INFO "Changing UID of user [$act_user] from $effective_uid to $GITEA_RUNNER_UID..."

    # workaround for:
    #    usermod -o -u "$GITEA_RUNNER_UID" $act_user
    # failing with "usermod: user act is currently used by process 1" because of /usr/bin/tini process
-    effective_gid=$(id -g $act_user)
+    effective_gid=$(id -g "$act_user")
    sed -i "s/^$act_user:x:$effective_uid:$effective_gid/$act_user:x:$GITEA_RUNNER_UID:$effective_gid/" /etc/passwd

    act_home=$(eval echo "~$act_user")
-    chown $GITEA_RUNNER_UID "$act_home"
-    find "$act_home" -user $effective_uid -exec chown $GITEA_RUNNER_UID {} \;
+    chown "$GITEA_RUNNER_UID" "$act_home"
+    find "$act_home" -user "$effective_uid" -exec chown "$GITEA_RUNNER_UID" {} \;
  fi
 fi

-if [ -n "${GITEA_RUNNER_GID:-}" ]; then
-  effective_gid=$(id -g $act_user)
+if [[ -n ${GITEA_RUNNER_GID:-} ]]; then
+  effective_gid=$(id -g "$act_user")
  if [ "$GITEA_RUNNER_GID" != "$effective_gid" ]; then
    log INFO "Changing GID of user [$act_user] from $effective_gid to $GITEA_RUNNER_GID..."
    groupmod -o -g "$GITEA_RUNNER_GID" $act_user

    act_home=$(eval echo "~$act_user")
-    chown :$GITEA_RUNNER_GID "$act_home"
-    find "$act_home" -group $effective_gid -exec chgrp $GITEA_RUNNER_GID {} \;
+    chown ":$GITEA_RUNNER_GID" "$act_home"
+    find "$act_home" -group "$effective_gid" -exec chgrp "$GITEA_RUNNER_GID" {} \;
  fi
 fi

@ -48,18 +49,18 @@ fi
 if [[ $DOCKER_MODE != "dind-rootless" ]]; then
  if [[ $GITEA_RUNNER_JOB_CONTAINER_DOCKER_HOST == unix://* ]]; then
    docker_sock=${GITEA_RUNNER_JOB_CONTAINER_DOCKER_HOST#unix://}
-    if runuser -u $act_user -- [ ! -r $docker_sock ] || runuser -u $act_user -- [ ! -w $docker_sock ]; then
-      docker_group=$(stat -c '%G' $docker_sock)
+    if runuser -u "$act_user" -- [ ! -r "$docker_sock" ] || runuser -u "$act_user" -- [ ! -w "$docker_sock" ]; then
+      docker_group=$(stat -c '%G' "$docker_sock")
      if [[ $docker_group == "UNKNOWN" ]]; then
-        docker_gid=$(stat -c '%g' $docker_sock)
+        docker_gid=$(stat -c '%g' "$docker_sock")
        docker_group="docker$docker_gid"
        log INFO "Creating group [$docker_group]..."
-        addgroup --gid $docker_gid $docker_group
+        addgroup --gid "$docker_gid" "$docker_group"
      fi

-      if ! id -nG $act_user | grep -qw "$docker_group"; then
-        log INFO "Adding user [$act_user] to docker group [$(getent group $docker_group)]..."
-        usermod -aG $docker_group $act_user
+      if ! id -nG "$act_user" | grep -qw "$docker_group"; then
+        log INFO "Adding user [$act_user] to docker group [$(getent group "$docker_group")]..."
+        usermod -aG "$docker_group" "$act_user"
      fi
    fi
  fi
@ -69,4 +70,4 @@ fi
 #################################################################
 # Launch the runner via act user with adjusted UID/GID/group membership
 #################################################################
-exec sudo -u $act_user -g $act_user -E bash /opt/run_runner.sh
+exec sudo -u "$act_user" -g "$act_user" -E bash /opt/run_runner.sh
--- a/image/run.sh
+++ b/image/run.sh
@ -5,6 +5,7 @@
 # SPDX-License-Identifier: Apache-2.0
 # SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner

+# shellcheck disable=SC1091  # Not following: /opt/bash-init.sh was not specified as input
 source /opt/bash-init.sh

 #################################################################
@ -23,7 +24,7 @@ EOF
  cat /opt/build_info
  echo

-  log INFO $(act_runner --version)
+  log INFO "$(act_runner --version)"
  log INFO "Timezone: $(date +"%Z %z")"
  log INFO "Hostname: $(hostname -f)"
  log INFO "IP Addresses: "
@ -40,17 +41,17 @@ if [[ -f /usr/bin/dockerd-rootless.sh ]]; then
  export DOCKER_MODE=dind-rootless
  log INFO "Starting Docker engine (rootless)..."
  export DOCKER_HOST=unix://$HOME/.docker/run/docker.sock
-  if [ ! -f $HOME/.config/docker/daemon.json ]; then
+  if [[ ! -f "$HOME/.config/docker/daemon.json" ]]; then
    # workaround for "Not using native diff for overlay2, this may cause degraded performance for building images: running in a user namespace  storage-driver=overlay2"
-    mkdir -p $HOME/.config/docker
-    echo '{"storage-driver":"fuse-overlayfs"}' > $HOME/.config/docker/daemon.json
+    mkdir -p "$HOME/.config/docker"
+    echo '{"storage-driver":"fuse-overlayfs"}' > "$HOME/.config/docker/daemon.json"
  fi

  export container=docker # from dind-hack
  export XDG_RUNTIME_DIR=$HOME/.docker/run
-  mkdir -p $XDG_RUNTIME_DIR
-  rm -f $XDG_RUNTIME_DIR/docker.pid $XDG_RUNTIME_DIR/docker/containerd/containerd.pid
-  /usr/bin/dockerd-rootless.sh -p $HOME/.docker/run/docker.pid > "$HOME/.docker/docker.log" 2>&1 &
+  mkdir -p "$XDG_RUNTIME_DIR"
+  rm -f "$XDG_RUNTIME_DIR/docker.pid" "$XDG_RUNTIME_DIR/docker/containerd/containerd.pid"
+  /usr/bin/dockerd-rootless.sh -p "$HOME/.docker/run/docker.pid" > "$HOME/.docker/docker.log" 2>&1 &
  export DOCKER_PID=$!
  while ! docker stats --no-stream &>/dev/null; do
    log INFO "Waiting for Docker engine to start..."
@ -71,6 +72,7 @@ elif [[ -f /usr/bin/dockerd ]]; then
    sleep 2
    tail -n 1 /var/log/docker.log
  done
+  # shellcheck disable=SC2155  # Declare and assign separately to avoid masking return values
  export DOCKER_PID=$(</var/run/docker.pid)
  echo "==========================================================="
  docker info
@ -88,16 +90,16 @@ fi
 # check if act user UID/GID needs adjustment
 #################################################################
 fix_permissions=false
-if [ -n "${GITEA_RUNNER_UID:-}" ]; then
+if [[ -n ${GITEA_RUNNER_UID:-} ]]; then
  effective_uid=$(id -u act)
-  if [ "$GITEA_RUNNER_UID" != "$effective_uid" ]; then
+  if [[ $GITEA_RUNNER_UID != "$effective_uid" ]]; then
    fix_permissions=true
  fi
 fi

-if [ -n "${GITEA_RUNNER_GID:-}" ]; then
+if [[ -n ${GITEA_RUNNER_GID:-} ]]; then
  effective_gid=$(id -g act)
-  if [ "$GITEA_RUNNER_GID" != "$effective_gid" ]; then
+  if [[ $GITEA_RUNNER_GID != "$effective_gid" ]]; then
    fix_permissions=true
  fi
 fi
@ -110,9 +112,9 @@ if [[ $DOCKER_MODE != "dind-rootless" ]]; then
  if [[ $GITEA_RUNNER_JOB_CONTAINER_DOCKER_HOST == unix://* ]]; then
    docker_sock=${GITEA_RUNNER_JOB_CONTAINER_DOCKER_HOST#unix://}
    if [[ ! -w $docker_sock || ! -r $docker_sock ]]; then
-      docker_group=$(stat -c '%G' $docker_sock)
+      docker_group=$(stat -c '%G' "$docker_sock")
      if [[ $docker_group == "UNKNOWN" ]]; then
-        docker_gid=$(stat -c '%g' $docker_sock)
+        docker_gid=$(stat -c '%g' "$docker_sock")
        docker_group="docker$docker_gid"
        fix_permissions=true
      fi
--- a/image/run_runner.sh
+++ b/image/run_runner.sh
@ -5,11 +5,13 @@
 # SPDX-License-Identifier: Apache-2.0
 # SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner
 #
+
+# shellcheck disable=SC1091  # Not following: /opt/bash-init.sh was not specified as input
 source /opt/bash-init.sh

 log INFO "Effective user: $(id)"

-cd /data
+cd /data || exit 1


 #################################################
@ -17,6 +19,7 @@ cd /data
 #################################################
 if [[ -f "$INIT_SH_FILE" ]]; then
  log INFO "Loading [$INIT_SH_FILE]..."
+  # shellcheck disable=SC1090  # ShellCheck can't follow non-constant source
  source "$INIT_SH_FILE"
 fi

@ -37,14 +40,14 @@ if [[ ${GITEA_RUNNER_LOG_EFFECTIVE_CONFIG:-false} == "true" ]]; then
    line=${line//\"/\\\"} # escape double quotes
    line=${line//\`/\\\`} # escape backticks
    eval "echo \"$line\"" | tee -a "$effective_config_file"
-  done < $GITEA_RUNNER_CONFIG_TEMPLATE_FILE
+  done < "$GITEA_RUNNER_CONFIG_TEMPLATE_FILE"
  echo "==========================================================="
 else
  while IFS= read -r line; do
    line=${line//\"/\\\"} # escape double quotes
    line=${line//\`/\\\`} # escape backticks
    eval "echo \"$line\"" >> "$effective_config_file"
-  done < $GITEA_RUNNER_CONFIG_TEMPLATE_FILE
+  done < "$GITEA_RUNNER_CONFIG_TEMPLATE_FILE"
 fi


@ -61,7 +64,7 @@ if [[ ! -s ${GITEA_RUNNER_REGISTRATION_FILE:-.runner} ]]; then
  log INFO "  GITEA_RUNNER_NAME=$GITEA_RUNNER_NAME"
  log INFO "  GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN//?/*}"
  log INFO "  GITEA_RUNNER_LABELS=$GITEA_RUNNER_LABELS"
-  wait_until=$(( $(date +%s) + $GITEA_RUNNER_REGISTRATION_TIMEOUT ))
+  wait_until=$(( $(date +%s) + GITEA_RUNNER_REGISTRATION_TIMEOUT ))
  while true; do
    if act_runner register \
      --instance "$GITEA_INSTANCE_URL" \
@ -84,6 +87,7 @@ fi
 #################################################
 # unset all variables named GITEA_... to prevent deprecation warning
 #################################################
+# shellcheck disable=SC2046  # Quote this to prevent word splitting
 unset $(env | grep "^GITEA_" | cut -d= -f1)


@ -97,13 +101,13 @@ case $DOCKER_MODE in

    function shutdown_act() {
      log INFO "Stopping act_runner..."
-      kill -SIGTERM $act_runner_pid || true
+      kill -SIGTERM "$act_runner_pid" || true
    }

    function shutdown_docker() {
      log INFO "Stopping docker engine..."
      if [[ $DOCKER_MODE == "dind-rootless" ]]; then
-        kill -SIGTERM $DOCKER_PID
+        kill -SIGTERM "$DOCKER_PID"
      else
        sudo service docker stop
      fi